Data Spills Cost U.S. Hospitals $6 Billion A Year

It turns out that patients don't appreciate having their medical information wind up in the hands of strangers. And when a healthcare organization loses that sensitive information en masse, it gets hit with customer losses and legal bills adding up to a hefty sum: an average of about $1 million per U.S. hospital per year, or about $6 billion annual for the entire industry.

That's one harsh finding of a study to be released this week by the privacy-focused non-profit Ponemon Institute, which interviewed executives at 67 American healthcare organizations about their data breach incidents over the last two years. On average, those hospitals and clinics experienced 2.4 breaches in the last two years, and lost about 1,769 patients' records in each data spill.

That's a relatively low number of records compared with data breaches on average. In broader studies, Ponemon has shown that data breaches tend to involve more than 30,000 records. But Ponemon's interviewees say that medical patients are less forgiving than other industries' customers when their data leaves their healthcare provider's control: the ensuing customer losses and brand damage end up costing $471 per customer record on average, more than twice the $204 per compromised record of all industries' breaches.

"You can't just give patients some sort of discount and win them back," says Ponemon founder Larry Ponemon. "In a trusted industry like health care, there's a high expectation of good stewardship of personal information, and when that confidence is lost it leads to customer churn."

The most common culprits for hospitals' data breaches were the usual suspects: lost hard drives, USB sticks and laptops, along with improperly disposed paper records. Only about 20% of incidents involved any criminal intent.

One less expected finding of Ponemon's study: The tightened privacy standards that accompanied the Obama Administration's $20 billion in stimulus money for healthcare information technology under last year's HITECH Act aren't actually making much difference, most of the study's subjects believe. That law, which tied the stimulus money to broader requirements for alerting patients when their data might have lost their provider's control, didn't lead to any more stringent security, according to 71 percent of the study's participants.

On the other hand, the electronic health record (EHR) systems that those billions of dollars are funding--and that those new privacy standards were created to protect--may be doing more to increase security, according to hospital executives. Seventy-four percent of the interviewees in Ponemon's study who had implemented EHR systems believed that they had strengthened patient data security.

Those beliefs largely contradict the average American's belief that digitizing records would only make them easier to steal in volume or lose in a single errant hard drive.

Larry Ponemon argues that at large providers like the Cleveland Clinic, new systems have helped centralize and control patient records instead of allowing to collect in disparate places around a hospital. "You have to start from the proposition that hospitals have had a tradition of lousy IT that relies on paper billing records and filing without serious privacy controls," he says. "In that respect, EHR may bring up their standards. Without controls, it can be a privacy nightmare. But if you have those controls, it can definitely improve security."